Contents

Overview of ACE Remote Access

You can access the ACE remotely using several different protocols as follows:

HTTP

HTTPS

ICMP

KALAP-UDP

SSH

SNMP

Telnet

These protocols require that you configure a management traffic policy on the ACE and associate that policy with the interface that you intend to use for management traffic. A management policy allows the classification and distribution engine (CDE) to classify (match) incoming management traffic to the management policy and to forward that traffic to the control plane (CP). For complete details about remote access, see the Cisco Application Control Engine Module Administration Guide (Software Version A2(1.0)).

Configuring a Management Policy for Remote Access

To configure a management policy that allows remote access to the ACE using ICMP, SSH, or Telnet, enter the following commands:

Troubleshooting Remote Access

If you cannot access the ACE module remotely, follow these steps:

1. Beginning with ACE software release A2(1.1), by default, the ACE CLI is only locally accessible either using the ACE console port or through the supervisor by entering the session command. Remote access to the ACE (for example, Telnet, SSH, and so on) is disabled until you change the admin user account password from the default. Access to the XML API is also disabled until you change the www user account password from the default. The ACE will display these warnings each time you access the CLI using the the console port or the supervisor until you change these passwords.

cat6k#session slot 5 processor 0
The default escape character is Ctrl-^, then x.
You can also type 'exit' at the remote prompt to end the session
Trying 127.0.0.20 ... Open
ACE_module5 login: admin
Password:
Cisco Application Control Software (ACSW)
TAC support: http://www.cisco.com/tac
Copyright (c) 2002-2009, Cisco Systems, Inc. All rights reserved.
The copyrights to certain works contained herein are owned by
other third parties and are used and distributed under license.
Some parts of this software are covered under the GNU Public
License. A copy of the license is available at
http://www.gnu.org/licenses/gpl.html.
Please change the password for admin user.
Admin user is allowed to login only from supervisor until the password is changed.
User 'www' is disabled. Please change the password to enable the user.

Use the following commands to change the passwords of the admin and www user accounts:

3. Ensure that the remote access method protocol (for example, Telnet or SSH) that you are trying to use is configured in the management class map and that the management class has been permitted in the management policy. If necessary, correct your ACE configuration. To display your management policy configuration elements, enter the following Exec mode commands:

4. Ensure that the management policy is applied to the correct interface and that you are using the correct IP address for that interface. If necessary, correct your configuration. Enter the following command:

If traffic is reaching the CDE, the Packets received and the CDE Hyperion Interface Packets transmitted counters should be increasing. If not, contact TAC.

11. If packets are not reaching the CDE, ensure that the MSFC in the Catalyst 6500 series switch or the Cisco 7600 series router is sending packets to the switch fabric interface (SFI) by entering the following command on the supervisor engine:

2. Ensure that the SSH key has been generated by entering the following command:

switch/Admin# show ssh key
**************************************
could not retrieve rsa1 key information
**************************************
could not retrieve rsa key information
**************************************
could not retrieve dsa key information
**************************************
no ssh keys present. you will have to generate them
**************************************

The show ssh key command output shows that no SSH key has been generated.

3. Generate an SSH key based upon your security requirements by entering the following commands:

4. Try connecting to the ACE via SSH again by entering the following command:

[linux]$ ssh admin@192.168.0.210
Warning: Permanently added '192.168.0.210' (RSA) to the list of known hosts.
Password:
Cisco Application Control Software (ACSW) TAC support: http://www.cisco.com/tac Copyright (c) 1985-2009 by Cisco Systems, Inc. All rights reserved.
The copyrights to certain works contained herein are owned by other third parties and are used and distributed under license.
Some parts of this software are covered under the GNU Public License. A copy of the license is available at http://www.gnu.org/licenses/gpl.html.
ACE_module5/Admin#

5. Confirm the SSH session from the ACE CLI by entering the following command: